Line | Count | Source |
1 | | /* $OpenBSD: kexgexc.c,v 1.42 2026/03/03 09:57:25 dtucker Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2000 Niels Provos. All rights reserved. |
4 | | * Copyright (c) 2001 Markus Friedl. All rights reserved. |
5 | | * |
6 | | * Redistribution and use in source and binary forms, with or without |
7 | | * modification, are permitted provided that the following conditions |
8 | | * are met: |
9 | | * 1. Redistributions of source code must retain the above copyright |
10 | | * notice, this list of conditions and the following disclaimer. |
11 | | * 2. Redistributions in binary form must reproduce the above copyright |
12 | | * notice, this list of conditions and the following disclaimer in the |
13 | | * documentation and/or other materials provided with the distribution. |
14 | | * |
15 | | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
16 | | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
17 | | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
18 | | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
19 | | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
20 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
21 | | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
22 | | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
23 | | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
24 | | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | | */ |
26 | | |
27 | | #include "includes.h" |
28 | | |
29 | | #ifdef WITH_OPENSSL |
30 | | #include "openbsd-compat/openssl-compat.h" |
31 | | |
32 | | #include <sys/types.h> |
33 | | |
34 | | #include <openssl/bn.h> |
35 | | #include <openssl/dh.h> |
36 | | |
37 | | #include <stdarg.h> |
38 | | #include <stdio.h> |
39 | | #include <string.h> |
40 | | #include <signal.h> |
41 | | |
42 | | #include "sshkey.h" |
43 | | #include "digest.h" |
44 | | #include "kex.h" |
45 | | #include "log.h" |
46 | | #include "packet.h" |
47 | | #include "dh.h" |
48 | | #include "ssh2.h" |
49 | | #include "compat.h" |
50 | | #include "dispatch.h" |
51 | | #include "ssherr.h" |
52 | | #include "sshbuf.h" |
53 | | #include "misc.h" |
54 | | |
55 | | static int input_kex_dh_gex_group(int, uint32_t, struct ssh *); |
56 | | static int input_kex_dh_gex_reply(int, uint32_t, struct ssh *); |
57 | | |
58 | | int |
59 | | kexgex_client(struct ssh *ssh) |
60 | 1.22k | { |
61 | 1.22k | struct kex *kex = ssh->kex; |
62 | 1.22k | int r; |
63 | 1.22k | u_int nbits; |
64 | | |
65 | 1.22k | nbits = dh_estimate(kex->dh_need * 8); |
66 | | |
67 | 1.22k | kex->min = DH_GRP_MIN; |
68 | 1.22k | kex->max = DH_GRP_MAX; |
69 | 1.22k | kex->nbits = nbits; |
70 | 1.22k | if (ssh->compat & SSH_BUG_DHGEX_LARGE) |
71 | 0 | kex->nbits = MINIMUM(kex->nbits, 4096); |
72 | | /* New GEX request */ |
73 | 1.22k | if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 || |
74 | 1.22k | (r = sshpkt_put_u32(ssh, kex->min)) != 0 || |
75 | 1.22k | (r = sshpkt_put_u32(ssh, kex->nbits)) != 0 || |
76 | 1.22k | (r = sshpkt_put_u32(ssh, kex->max)) != 0 || |
77 | 1.22k | (r = sshpkt_send(ssh)) != 0) |
78 | 0 | goto out; |
79 | 1.22k | debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent", |
80 | 1.22k | kex->min, kex->nbits, kex->max); |
81 | | #ifdef DEBUG_KEXDH |
82 | | fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", |
83 | | kex->min, kex->nbits, kex->max); |
84 | | #endif |
85 | 1.22k | debug("expecting SSH2_MSG_KEX_DH_GEX_GROUP"); |
86 | 1.22k | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, |
87 | 1.22k | &input_kex_dh_gex_group); |
88 | 1.22k | r = 0; |
89 | 1.22k | out: |
90 | 1.22k | return r; |
91 | 1.22k | } |
92 | | |
93 | | static int |
94 | | input_kex_dh_gex_group(int type, uint32_t seq, struct ssh *ssh) |
95 | 102 | { |
96 | 102 | struct kex *kex = ssh->kex; |
97 | 102 | BIGNUM *p = NULL, *g = NULL; |
98 | 102 | const BIGNUM *pub_key; |
99 | 102 | int r, bits; |
100 | | |
101 | 102 | debug("SSH2_MSG_KEX_DH_GEX_GROUP received"); |
102 | 102 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_GROUP, &kex_protocol_error); |
103 | | |
104 | 102 | if ((r = sshpkt_get_bignum2(ssh, &p)) != 0 || |
105 | 84 | (r = sshpkt_get_bignum2(ssh, &g)) != 0 || |
106 | 61 | (r = sshpkt_get_end(ssh)) != 0) |
107 | 53 | goto out; |
108 | 49 | if ((bits = BN_num_bits(p)) < 0 || |
109 | 49 | (u_int)bits < kex->min || (u_int)bits > kex->max) { |
110 | 2 | r = SSH_ERR_DH_GEX_OUT_OF_RANGE; |
111 | 2 | goto out; |
112 | 2 | } |
113 | 47 | if ((kex->dh = dh_new_group(g, p)) == NULL) { |
114 | 0 | r = SSH_ERR_ALLOC_FAIL; |
115 | 0 | goto out; |
116 | 0 | } |
117 | 47 | p = g = NULL; /* belong to kex->dh now */ |
118 | | |
119 | | /* generate and send 'e', client DH public key */ |
120 | 47 | if ((r = dh_gen_key(kex->dh, kex->we_need * 8)) != 0) |
121 | 20 | goto out; |
122 | 27 | DH_get0_key(kex->dh, &pub_key, NULL); |
123 | 27 | if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_INIT)) != 0 || |
124 | 27 | (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || |
125 | 27 | (r = sshpkt_send(ssh)) != 0) |
126 | 0 | goto out; |
127 | 27 | debug("SSH2_MSG_KEX_DH_GEX_INIT sent"); |
128 | | #ifdef DEBUG_KEXDH |
129 | | DHparams_print_fp(stderr, kex->dh); |
130 | | fprintf(stderr, "pub= "); |
131 | | BN_print_fp(stderr, pub_key); |
132 | | fprintf(stderr, "\n"); |
133 | | #endif |
134 | 27 | debug("expecting SSH2_MSG_KEX_DH_GEX_REPLY"); |
135 | 27 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &input_kex_dh_gex_reply); |
136 | 27 | r = 0; |
137 | 102 | out: |
138 | 102 | BN_clear_free(p); |
139 | 102 | BN_clear_free(g); |
140 | 102 | return r; |
141 | 27 | } |
142 | | |
143 | | static int |
144 | | input_kex_dh_gex_reply(int type, uint32_t seq, struct ssh *ssh) |
145 | 20 | { |
146 | 20 | struct kex *kex = ssh->kex; |
147 | 20 | BIGNUM *dh_server_pub = NULL; |
148 | 20 | const BIGNUM *pub_key, *dh_p, *dh_g; |
149 | 20 | struct sshbuf *shared_secret = NULL; |
150 | 20 | struct sshbuf *tmp = NULL, *server_host_key_blob = NULL; |
151 | 20 | struct sshkey *server_host_key = NULL; |
152 | 20 | u_char *signature = NULL; |
153 | 20 | u_char hash[SSH_DIGEST_MAX_LENGTH]; |
154 | 20 | size_t slen, hashlen; |
155 | 20 | int r; |
156 | | |
157 | 20 | debug("SSH2_MSG_KEX_DH_GEX_REPLY received"); |
158 | 20 | ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REPLY, &kex_protocol_error); |
159 | | |
160 | | /* key, cert */ |
161 | 20 | if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) |
162 | 2 | goto out; |
163 | | /* sshkey_fromb() consumes its buffer, so make a copy */ |
164 | 18 | if ((tmp = sshbuf_fromb(server_host_key_blob)) == NULL) { |
165 | 0 | r = SSH_ERR_ALLOC_FAIL; |
166 | 0 | goto out; |
167 | 0 | } |
168 | 18 | if ((r = sshkey_fromb(tmp, &server_host_key)) != 0 || |
169 | 13 | (r = kex_verify_host_key(ssh, server_host_key)) != 0) |
170 | 6 | goto out; |
171 | | /* DH parameter f, server public DH key, signed H */ |
172 | 12 | if ((r = sshpkt_get_bignum2(ssh, &dh_server_pub)) != 0 || |
173 | 10 | (r = sshpkt_get_string(ssh, &signature, &slen)) != 0 || |
174 | 8 | (r = sshpkt_get_end(ssh)) != 0) |
175 | 5 | goto out; |
176 | 7 | if ((shared_secret = sshbuf_new()) == NULL) { |
177 | 0 | r = SSH_ERR_ALLOC_FAIL; |
178 | 0 | goto out; |
179 | 0 | } |
180 | 7 | if ((r = kex_dh_compute_key(kex, dh_server_pub, shared_secret)) != 0) |
181 | 1 | goto out; |
182 | 6 | if (ssh->compat & SSH_OLD_DHGEX) |
183 | 0 | kex->min = kex->max = -1; |
184 | | |
185 | | /* calc and verify H */ |
186 | 6 | DH_get0_key(kex->dh, &pub_key, NULL); |
187 | 6 | DH_get0_pqg(kex->dh, &dh_p, NULL, &dh_g); |
188 | 6 | hashlen = sizeof(hash); |
189 | 6 | if ((r = kexgex_hash( |
190 | 6 | kex->hash_alg, |
191 | 6 | kex->client_version, |
192 | 6 | kex->server_version, |
193 | 6 | kex->my, |
194 | 6 | kex->peer, |
195 | 6 | server_host_key_blob, |
196 | 6 | kex->min, kex->nbits, kex->max, |
197 | 6 | dh_p, dh_g, |
198 | 6 | pub_key, |
199 | 6 | dh_server_pub, |
200 | 6 | sshbuf_ptr(shared_secret), sshbuf_len(shared_secret), |
201 | 6 | hash, &hashlen)) != 0) |
202 | 0 | goto out; |
203 | | |
204 | 6 | if ((r = sshkey_verify(server_host_key, signature, slen, hash, |
205 | 6 | hashlen, kex->hostkey_alg, ssh->compat, NULL)) != 0) |
206 | 6 | goto out; |
207 | | |
208 | 0 | if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) != 0 || |
209 | 0 | (r = kex_send_newkeys(ssh)) != 0) |
210 | 0 | goto out; |
211 | | |
212 | | /* save initial signature and hostkey */ |
213 | 0 | if ((kex->flags & KEX_INITIAL) != 0) { |
214 | 0 | if (kex->initial_hostkey != NULL || kex->initial_sig != NULL) { |
215 | 0 | r = SSH_ERR_INTERNAL_ERROR; |
216 | 0 | goto out; |
217 | 0 | } |
218 | 0 | if ((kex->initial_sig = sshbuf_new()) == NULL) { |
219 | 0 | r = SSH_ERR_ALLOC_FAIL; |
220 | 0 | goto out; |
221 | 0 | } |
222 | 0 | if ((r = sshbuf_put(kex->initial_sig, signature, slen)) != 0) |
223 | 0 | goto out; |
224 | 0 | kex->initial_hostkey = server_host_key; |
225 | 0 | server_host_key = NULL; |
226 | 0 | } |
227 | | /* success */ |
228 | 20 | out: |
229 | 20 | explicit_bzero(hash, sizeof(hash)); |
230 | 20 | DH_free(kex->dh); |
231 | | kex->dh = NULL; |
232 | 20 | BN_clear_free(dh_server_pub); |
233 | 20 | sshbuf_free(shared_secret); |
234 | 20 | sshkey_free(server_host_key); |
235 | 20 | sshbuf_free(tmp); |
236 | 20 | sshbuf_free(server_host_key_blob); |
237 | 20 | free(signature); |
238 | 20 | return r; |
239 | 0 | } |
240 | | #endif /* WITH_OPENSSL */ |